Check Point VPN

This document will describe the required steps to integrate a Check Point VPN with the Keyless Radius Server.

Check Point Secure Remote Access is a VPN solution from Check Point that can be integrated with Keyless to provide a secure login experience. In this guide, will show how this can be accomplished using the Keyless RADIUS Appliance.

Assumptions

At least one account has been configured with the Keyless Authenticator so that it could be used to test authentication on the Keyless Radius server.
Check Point Server is already up and running - its initial setup is out-of-scope of this guide.
Check Point Mobile Access role has been configured and a VPN connection with a stand username and password is up and running.
An Internal network (i.e. CP_Default_Office ) where VPN clients will direct has been created.
This document is based on the below network configuration (i.e. network setup, routes, etc). Steps may vary according to your network configuration and architecture.

This walkthrough will use Check Point stand alone version R80.40 where both the management and gateway server roles are installed. Steps may vary between Check Point server and client versions.

Adding the RADIUS Server in the Check Point Gateway server

Open Check Point SmartConsole, select the Gateway that will use the Keyless RADIUS server and click on "Edit".

1. In the SmartConsole, create a RADIUS Host object by selecting "New" > "Host".

2. Name the Host object with a meaningful name (i.e. Keyless RADIUS Connector ) and assign its Public IP address.

3. Create a RADIUS Server object by selecting "New" > "More" > "Server" > "More" > "RADIUS".

Configure the following values:

Name the RADIUS Server object (i.e. Keyless RADIUS).
Associate the RADIUS Server object with the RADIUS Host object created in the previous step (i.e. Keyless RADIUS Connector).
Select "NEW-RADIUS" on port 1812

The Keyless RADIUS Connector listens on port 1812

Assign the same Shared Secret that you configured on the Keyless RADIUS Connector deployment (see here).
Select RADIUS Ver. 2.0
Select PAP as Protocol
Select 1 as Priority (it is assumed that this is the only RADIUS Server)

Click "'OK".

No, go to "VPN Clients" > "Office Mode" and configure the following values:

Select "Allow Office Mode" to all users.
Office Mode Method
- Select "From ipassignment conf located in $FWDIR/conf - always tried first"
- Using one of the following methods
  - Select "Manual (using IP pool)"
  - Select an internal network that has been previously configured

Click on the "OK" button.

Now go to "Mobile Access" > "Authentication" in the Check Point SmartConsole.

Click on the "Settings" button and configure as follows:

Check "Allow newer clients that supports Multiple Login Options to use this authentication method".
Display Name: RADIUS
Authentication method: RADIUS
Server: Select the RADIUS Server previously created (i.e. Keyless RADIUS)

Click on the "OK" button.

Now go to "Mobile Access" > "Office Mode" and configure the following values:

Select "Allow Office Mode" to all users
Office Mode Method
- Select "From ipassignment conf located in $FWDIR/conf - always tried first"
- Using one of the following methods
  - Select "Manual (using IP pool)"
  - Select an internal network that has been previously configured

Click on the "OK" button.

Create a new “External User Profile” that will be applied to all users

In the SmartConsole, go to the "Manage & Settings" tab.
- Click "Blades".
- Click "Mobile Access" > "Configure in SmartDashboard"

From the Network object tree, click the Users icon.

Right-click "External User Profiles and select "New External User Profile" > 'Match all users...".

Configure this profile as follows:

General Properties

External Username Profile: generic* (should be the default option)

Authentication

Authentication Scheme: RADIUS
Select a RADIUS Server or a Group Of Servers: Select the RADIUS Server object previously created (i.e. Keyless RADIUS)

Click "OK" and close the SmartDashboard.

Install the policy in the SmartConsole portal.

Configure the Check Point VPN Client

The Check Point VPN client can be downloaded from this website.

Start the installation wizard and select the "Endpoint Security VPN" option when asked:

On the bottom right corner of Windows taskbar, click on the Check Point VPN Client icon and the click on "Connect to..."

Select "Yes" if your are prompted with the following message.

Click "Next".

Server address or Name: Provide the Check Point Server Public IP (i.e. 88.99.77.89)
Display Name: CheckPoint VPN Name (i.e. Keyless VPN )

Click "Next"

Once the VPN client has discovered Check Point VPN Server, select RADIUS (default) as the login option and click "Next".

Select "Username and Password" and "Next".

Click on the "Finish" button.

Test the Keyless Authentication

On the bottom right corner of Windows taskbar, click on the Check Point VPN Client icon and the click on "Connect to..."

Username: provide the username that you’ve used during the enrollment process with Keyless Authenticator
Password: provide a random fake password (the Check Point client requires a non-empty password)

Click "Connect"

You’ll receive a notification on Keyless Authenticator. Once you’ve been authenticated, VPN Client will be connected.

🏁pagePost Integration

PreviousOpenVPN NextRADIUS

Last updated 1 year ago